Saturday, September 26, 2015

Password Reuse

 on  with No comments 
In ,  
I listen to a lot of MLB Network on XM Radio during my drive to and from work each day. So one of the big stories that I've heard a lot about recently is the case of St. Louis Cardinal personnel hacking into a database owned by the Houston Astros, allowing them to see proprietary data about player evaluations, amateur draft strategy, and potential trades with other teams. In other words, the keys to the Astros kingdom. At first it sounded like a front office person moved from Houston to St. Louis and continued to use their login credentials that had not been disabled. So like every time I see someone's Facebook status changed to "HA HA I Hacked Your Facebook!" my initial reaction was WTF? that's not hacking.

However, what really happened is that Jeff Luhnow left St. Louis for Houston, taking a number of staffers with him. Not long after arriving in Houston, the database in question (known internally as Ground Control) was built, which looked suspiciously like one in use in St. Louis (known as Redbird). Enough so that Correa did not believe it was coincidental. So the story goes that Chris Correa, who was the scouting director at the time of his termination (however it's not clear exactly what position he held during the time of these events) became suspicious of this new Astros database and wanted to investigate further. Using a master list of passwords left behind by Luhnow and the others who left, Correa and others were able to gain access to the Astros network.

Correa just recently plead guilty to five counts of unauthorized access to computer information, each charge carrying a maximum penalty of five years imprisonment and a $250,000 fine. Despite the light amount of access he plead guilty to, some reports are saying that Correa and/or other Cardinals front office staff were in the Astros database repeatedly for well over a year and saw pretty much everything.

So what's the point of all of this. Simple, good password security could have prevented this whole thing. The personnel who moved over to the Astros reused passwords, knowing that they were on a list given to the Cardinals when they left. Don't reuse passwords. Don't reuse passwords ESPECIALLY if someone has a list of your previously used passwords, which probably shows you have a history of password reuse. Me personally, I like to let Keepass generate good 15 - 20 character passwords for me (upper case, lower case, numbers, symbols, all random) and then I just need to remember the password to the computer, the password to my dropbox account where the keepass file is, and the password to the keepass file. There's even Keepass apps for Android and iOS.

Note: After rereading this post, I feel like it looks a bit like a paid advertisement for XM radio and/or Keepass. That is not the case, really.


Post a Comment

Discuss this post!